We were using permanent tokens to access R2 buckets. However, we found
that we could only create 50 permanent API tokens. Given we create
tokens for each customer/bucket, this approach isn't scalable.
Unfortunately, there's no easy way to increase this limit. While an
enterprise account allows for more tokens, upgrading is not practical
for us. We learned from the community that temporary tokens don't have
this restriction [^1] [^2]. Thus, we've decided to switch to temporary
tokens. Another future benefit is that temporary tokens allow us to set
more specific permissions at the bucket, prefix, and object levels.
We've chosen to use temporary tokens for accessing R2 buckets. Unlike
permanent tokens, this requires sending a session_token with each
request, and we must refresh the token before it expires. I've
implemented refreshing part in the next commit.
[^1]: https://developers.cloudflare.com/r2/api/s3/tokens/#temporary-access-credentials
[^2]: https://developers.cloudflare.com/api/operations/r2-create-temp-access-credentials
20b181b8d7